Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > penetration testing

Reply
Thread Tools

penetration testing

 
 
suraku@gmail.com
Guest
Posts: n/a
 
      07-06-2006
i'm involved in a class at my university doing penetration testing of
various companies in our area however one of the companies apparently
has good, or at least decent, security, any attempts to nmap the
address return no open ports and no OS information(even on full 65535
port scan), nessus and n-stealth do not have any luck either. at this
point i'm thinking they have a good firewall but would still like to
try to find some vulnerabilities what would be a good next step to try
to either gain access WITHOUT DAMAGING THE SYSTEM or obtain more recon
information on the server to base future actions on.

 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      07-06-2006
"(E-Mail Removed)" <(E-Mail Removed)> writes:

> i'm involved in a class at my university doing penetration testing of
> various companies in our area


I sure hope you have their legal consent to do this. If not, and your
instructor has told you to do this, I'd say he or she is not too
bright and just begging for legal action of some sort.

You simply shouldn't do penetration testing without written legal
consent of the parties being evaluated. It's a good way to go to jail
(without passing Go or collecting $200).

> however one of the companies apparently has good, or at least
> decent, security, any attempts to nmap the address return no open
> ports and no OS information(even on full 65535 port scan),


Actually, that's called a firewall and hopefully is fairly common in
your survey.

> nessus and n-stealth do not have any luck either.


Yeah, no point really in running nessus if there aren't any ports
listening.

> at this point i'm thinking they have a good firewall but would still
> like to try to find some vulnerabilities what would be a good next
> step to try to either gain access WITHOUT DAMAGING THE SYSTEM or
> obtain more recon information on the server to base future actions
> on.


Track down the paper on firewalking. It details a method of mapping
out the firewall ruleset at least. It's pretty clever in its
technique.

However, you're not likely to get a good handle on the systems behind
it.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-06-2006
Todd H. wrote:
> "(E-Mail Removed)" <(E-Mail Removed)> writes:
>
>> i'm involved in a class at my university doing penetration testing
>> of various companies in our area

>
> I sure hope you have their legal consent to do this.


As long as you don't actively circumvent measures and actually spy on or
change data, you don't need any consent to do fully legal things.

> If not, and your instructor has told you to do this, I'd say he or
> she is not too bright and just begging for legal action of some sort.
>

Admitted, most companies will throw around a lot of lawsuits for maybe
not so fine, but fully legal actions.

> It's a good way to go to jail (without passing Go or collecting
> $200).


"I've got a 'You get out of jail' free card!" (Trigger Happy TV)

>> at this point i'm thinking they have a good firewall but would
>> still like to try to find some vulnerabilities what would be a good
>> next step to try to either gain access WITHOUT DAMAGING THE SYSTEM
>> or obtain more recon information on the server to base future
>> actions on.

>
> Track down the paper on firewalking. It details a method of mapping
> out the firewall ruleset at least. It's pretty clever in its
> technique.


Another interesting and/or additional approach is trying to exploit
well-known common TCP/IP problems like IP versions <> (4,6), various
types of sizing and fragmentation, certain TCP flag combination, various
TCP options, various ICMP codes, ... the tools of choice are hping3
(yes, there's a new version) and Perl (with Net::RawIP from CPAN).

> However, you're not likely to get a good handle on the systems
> behind it.


Indeed. The best way to get a handle is to intercept the line (or doing
some DNS manipulation) to redirect traffic partitially to your system
and to pass some arbitrary chosen content that keeps up permanent
connections, allowing passing chosen traffic as connection-related content.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-06-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:

> Todd H. wrote:
> > "(E-Mail Removed)" <(E-Mail Removed)> writes:
> >
> >> i'm involved in a class at my university doing penetration testing
> >> of various companies in our area

> >
> > I sure hope you have their legal consent to do this.

>
> As long as you don't actively circumvent measures and actually spy on or
> change data, you don't need any consent to do fully legal things.


Sebastianeriffic, my delightful fault finding friend, you're good at
picking apart definitions. Look up a few definitions of penetration
testing for us would ya?

Penetration testing vs network or vulnerability scanning is all about
testing that next step--i.e. the ability to actively circumvent
measures.

Or, just run a true pentest against a few sites of a sufficiently
clueful governement from your own IP and let me know how that works
out for ya.

On the corporate side, as you correctly say, whether laws are broken
is unrelated to whether or not you can be successfully sued for your
unauthorized pentest. Try pentesting a financial institution in or
around the time they have something go down. If downtime costs them
$100,000 a minute, you'll have a problem.

> "I've got a 'You get out of jail' free card!" (Trigger Happy TV)


Yup, you got it. That's actually what our security group refer to the
legal indemnity letter as. And it's absolutely what one should have
before conducting a pentest upon targets you don't exclusively own.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-06-2006
Todd H. wrote:

> Penetration testing vs network or vulnerability scanning is all about
> testing that next step--i.e. the ability to actively circumvent
> measures.


Actively circumventing is modification or bypassing, not using
legitimate channels. Or is knocking on your door a trivial of actively
circumventing your door? Please don't twist it with a successful
penetration and going further on penetrating. A penetration test is
supposed to show that a penetration on that way is not successful.
 
Reply With Quote
 
Bit Twister
Guest
Posts: n/a
 
      07-06-2006
On Thu, 06 Jul 2006 20:51:24 +0200, Sebastian Gottschalk wrote:
>
> As long as you don't actively circumvent measures and actually spy on or
> change data, you don't need any consent to do fully legal things.


Heheheh, sounds good but it will depend on laws made by the country
in which the event happens. Here in the United States of America some
states make it a crime to ping an ip address.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-06-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:

> Todd H. wrote:
>
> > Penetration testing vs network or vulnerability scanning is all about
> > testing that next step--i.e. the ability to actively circumvent
> > measures.

>
> Actively circumventing is modification or bypassing, not using
> legitimate channels. Or is knocking on your door a trivial of actively
> circumventing your door? Please don't twist it with a successful
> penetration and going further on penetrating. A penetration test is
> supposed to show that a penetration on that way is not successful.


Successful penetration -- be it as simple as logging onto a box using
a guessed default admin password is enough to put you in harm's way in
many countries unless you have consent.

This distinction is also a useful one to draw here as well
http://www.darknet.org.uk/2006/04/pe...ty-assessment/

The moral: a professor who tells his students to penetration test
random companies on the internet is an irresponsible moron IMNSHO.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Account for penetration testing nobiscuit Computer Security 15 08-18-2005 01:21 AM
Penetration testing tools for Cisco router & PIX Simon Watson Cisco 1 05-24-2005 03:15 AM
Free Penetration Testing Workshop in Bristol, UK =?Utf-8?B?RXhlY3VUcmFpbg==?= MCSE 4 10-28-2004 07:14 PM
USB Thumbdrive Thumbprint Penetration Testing Dreez Computer Security 0 01-22-2004 11:19 PM
New book reviews - Snort 2.0, Intrusion Detection with Snort and Hack I.T. - Penetration testing Lord Shaolin Computer Security 2 08-12-2003 08:56 AM



Advertisments